How to lessen the risk of ransomware attacks on your organization's data
It's been about a month since the devastating May 7 ransomware attack on the city of Baltimore's systems, and at the time of this writing only 65% of employees have access to their email.
Water service bills are being estimated and processed manually, as the utility's billing system has been compromised, and city officials must use library computers to process payroll. The particularly vicious malware at the center of this attack, dubbed “Robbin Hood,” disabled nearly all computerized functions for the city government, and the city is only slowly recovering.
Could the same thing happen to your business?
How does ransomware work?
The FBI are still investigating the specific point of access by which the Robbin Hood ransomware entered the Baltimore City network, but all ransomware, such as SamSam that hit the City of Atlanta, WannaCry that hit Boeing, Petya and Cryptolocker, work similarly.
The malware is sent into the organization by email via an attachment or a URL link (a Trojan). These are disguised in very clever phishing emails to appear as legitimate mails from trusted sources, with attachments that seem real, (“Bob, here is that report you asked me for last week”), tricking the recipient into clicking on the attachment to execute the malware. It can also appear in web pop-ups, or via “drive-by downloading”, when a user unknowingly visits an infected website and the malware is downloaded without their knowledge.
From one to all
Ransomware can be either isolated to one computer or spread across the network. Once the attack is launched, the hackers gather as much data as possible, stealing user names and passwords, network server and remote desktop logins. This enables the criminals to distribute the ransomware throughout the organization. With passwords commonly reused, the virus spreads like wildfire.
Why is ransomware so Nasty?
Unlike other viruses, ransomware doesn't just steal the data, it locks it down by encrypting the files.
When an attack happens, you suddenly have no access to a program or to login at all. A screen appears announcing that your files have been encrypted, and that you need to pay a ransom to obtain an encryption key, for Robbin Hood, typically 3 bitcoin (about $24,400) for one computer, 13 bitcoin ($105,600) for a network. Sometimes, there is a countdown clock for payment, increasing the ransom after a certain time window has passed.
What if your computer is attacked?
At this point, there are no “anti-virus” or clean up options. No one can “disinfect” your machine. You either pay, or lose your data.
The city of Baltimore decided not to pay. The FBI actually does not advise to not pay under any circumstances. In its “Ransomware Prevention and Response for CISOs” document, the organization advises:
“Whether to pay a ransom is a serious decision, requiring the evaluation of all options to protect shareholders, employees and customers. Victims will want to evaluate the technical feasibility, timeliness and cost of restarting systems from backup.”
Note that, even if you pay, there is no guarantee that hackers will give you the encryption key, or that the tools provided will work. A survey carried out by the research firm CyberEdge Group found that nearly 40% of victims who paid still could not recover their files. Also, paying may identify your organization as more vulnerable, and may make you a more likely target for future attacks.
What you can do to avoid an attack
Backup, backup and backup again
The most important defense against ransomware is having regular backups and a solid business continuity plan. Hackers are betting that you will have no segregated backups and will be willing to buy back access to your data. As long as you have a “clean” copy of your data, you can refuse to pay the ransom.
Follow best practice security principles
Update your operating systems, software and apps whenever there is a new release or patch. Watch out for phishing emails and do not open suspect emails or links. Restrict users' permissions to install and run software applications. Train your employees on security, as cautious online behavior is the best prevention from infecting the network. Keep critical computers isolated from networks.
Get better protection
There are several advanced security tools which can add another layer of protection, which once installed and kept up to date, can stop ransomware attacks or mitigate the spread of the ransomware across your network.
Get a complete assessment of your company's security posture and potential risk
Even routine backups may not protect your data. If the data has been infected, and you are not aware, or if the backup is not segregated from the network, backups may also be corrupt. A complete assessment of your infrastructure can identify vulnerabilities and gaps in protection against internal and external threats.
Be sure to review all security configurations, anti-virus and anti-spyware deployment, patch management, and company security policies for accuracy and completeness. Look for other tools that can help keep you better protected than what most businesses use today.
To date, cybercriminals have mostly targeted hospitals, government institutions and academic institutions, but ransomware attacks are on the rise in every industry. Ransomware is expected to attack a business every 14 seconds by the end of 2019. Companies should proactively assess their threat landscape while establishing protocols for restoring operations and protecting sensitive data. Considering the cost of work-arounds and downtime, the ROI of improved cybersecurity becomes irrefutable.